docker-base with homedir similar to builder-base

solsson · solsson · commit 6567bd8261c9 · 2025-04-02T06:15:35.000+02:00
diff --git a/duckdb/Dockerfile b/duckdb/Dockerfile
@@ -15,7 +15,7 @@ RUN set -ex; \
 RUN echo '#!/bin/sh' > /tmp/xdg-open && chmod u+x /tmp/xdg-open
 
 # TODO needs a bit more distro than gcr.io/distroless/base but not this much
-FROM --platform=$TARGETPLATFORM yolean/docker-base
+FROM --platform=$TARGETPLATFORM yolean/homedir
 
 # TODO note
 # Failed to download extension "ui" at URL "http://extensions.duckdb.org/v1.2.1/linux_arm64_gcc4/ui.duckdb_extension.gz" (HTTP 403)
diff --git a/homedir/Dockerfile b/homedir/Dockerfile
@@ -0,0 +1,11 @@
+FROM --platform=$TARGETPLATFORM yolean/docker-base \
+  as base
+
+FROM base as nonroot
+WORKDIR /nonroot
+RUN set -e; \
+  mkdir -p home/nonroot/.cache; \
+  chown root home; chown -R 65532:65534 home/nonroot
+
+FROM base
+COPY --from=nonroot /nonroot /
diff --git a/test.sh b/test.sh
@@ -15,6 +15,7 @@ if [[ ! -z "$SOURCE_COMMIT" ]]; then
   fi
 fi
 
+# note that docker-base isn't actually nonroot, we just want to build that first
 MULTIARCH_NONROOT="
 docker-base
 builder-base
@@ -35,6 +36,7 @@ runtime-deno
 "
 
 MULTIARCH_TONONROOT="
+homedir
 java
 node
 node-kafka
diff --git a/to-nonroot/homedir/Dockerfile b/to-nonroot/homedir/Dockerfile
@@ -0,0 +1,8 @@
+FROM --platform=$TARGETPLATFORM yolean/homedir:root
+
+# Appends the same nonroot directives as https://github.com/Yolean/kubernetes-kafka/tree/master/nonroot
+# i.e. https://github.com/solsson/dockerfiles/tree/native/kafka-nonroot
+RUN grep 'nonroot:x:65532' /etc/passwd || \
+  echo 'nonroot:x:65532:65534:nonroot:/home/nonroot:/usr/sbin/nologin' >> /etc/passwd && \
+  mkdir -p /home/nonroot && touch /home/nonroot/.bash_history && chown -R 65532:65534 /home/nonroot
+USER nonroot:nogroup
